• Sublime Core Feed
Medium Severity

Open redirect: Doubleclick.net

Labels

Credential Phishing
Malware/Ransomware
Open redirect
Sender analysis
URL analysis

Description

Doubleclick.net link leveraging an open redirect from a new or outlier sender.

References

No references.

Sublime Security
Created Jan 22nd, 2024 • Last updated Jul 8th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.links) < 10
and any(body.links,
        .href_url.domain.root_domain == "doubleclick.net"
        and (
          strings.icontains(.href_url.path, "/aclk")
          or strings.icontains(.href_url.path, "/pcs/click")
          or strings.icontains(.href_url.path, "/searchads/link/click")
        )
        and regex.icontains(.href_url.query_params,
                            '&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
        )
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started